Tofinosecurity.com uses cookies for analytics and functionality purposes.
To change your cookie settings or find out more, click here.
If you continue browsing our website or close this banner, you accept these cookies.

Shamoon Malware and SCADA Security – What are the Impacts?

Ed. Note: This is a significant update to an article first published on Sept 25, 2012. The original article is available as a download in Related Links.

The most destructive post-Stuxnet discovery of advanced threats is a malicious malware known as Shamoon. Like Stuxnet, Duqu and Flame, it targeted energy companies in the Middle East, this time Saudi Aramco, Qatar’s RasGas and likely other oil and gas concerns in the region. It is a new species however, because it did not disrupt an industrial process as Stuxnet did, nor did it stealthily steal business information as Flame and Duqu did. Instead it removed and overwrote the information on the hard drives of 30,000 to 55,000 (yes those numbers are correct!) workstations of Saudi Aramco (and who knows how many more at other firms).

Nothing this damaging has been seen in a while. As a Kaspersky Lab expert commented “Nowadays, destructive malware is rare; the main focus of cybercriminals is financial profit. Cases like the one here do not appear very often.”

What does Shamoon mean for SCADA and ICS Security? Hold that thought for a few paragraphs…..

Saudi Aramco’s headquarters complex. This is one of the sites where workstation hard drives were wiped clean by the Shamoon virus. Photo: Wikipedia

The name Shamoon comes from a folder name within the malware executable:

“c:\shamoon\ArabianGulf\wiper\release.pdb”

While the significance of the word “Shamoon” is not known, it is speculated that it is the name of one of the malware authors. Shamoon is the equivalent of Simon in Arabic.

Symantec describes Shamoon as having 3 components:

Dropper – the main component and source of the original infection. It drops components 2 and 3 onto the infected computer, copies itself to network shares, executes itself and creates a service to start itself whenever Windows starts.

Wiper – this is the destructive module. It compiles a list of files from specific locations on the infected computers, erases them, and sends information about the files back to the attacker. The erased files are overwritten with corrupted jpeg files, “obstructing any potential file recovery by the victim”1.

Reporter – this module sends infection information back to the attacker’s central computer.

While all of this sounds sophisticated, expert analysis (Kaspersky Labs) concluded, due to a number of errors found in the code, that the developers of Shamoon are “skilled amateurs”. They are not in the same league as the sophisticated coders of Stuxnet and Flame.

What Damage did Shamoon do?

“…the company has isolated all its electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption that affected some of the sectors of its electronic network. The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network."

“You don’t destroy 30,000 workstations without causing a vast amount of damage. It might be possible that the attack didn’t directly hit oil production or harm the flow of oil out of the ground. No one I’ve spoken to has suggested it did, but it’s clear that if the company's statement is true then Aramco used a very strict reading of the phrase “oil production.”

Mr. von Hoffman went on to question the Saudi Aramco statement that all damage had been repaired by Aug 26th. He also wonders, in the days of oil and gas projects being dominated by joint ventures, how other energy companies’ computers could not have been damaged by Shamoon.

Bloomberg attributes the attack to a single perpetrator who did not have the skills to do advanced coding or attack the company’s oil production sites. Their view rests on the fact that the forensic analysis of the code does not show advanced elements that typically suggest a nation state perpetrator. The motive in this case is believed to come from the disenfranchised Shiite minority in Saudi Arabia’s eastern province.

However, ISSSource describes how “Iran’s Cyber Army” has been building up its capability over time and attributes the attack to Iran working with an insider. It also puts forward two theories about why the Iranians might have instigated it.

One theory is that the attacks were motivated by “deep wrath” at the Saudi government because of:

The mistreatment of the Shiites by Saudi Aramco.

The Saudi government’s assistance to Sunni factions in Syria and Bahrain.

The other theory is that the attacks are retaliatory measures against the U.S. for:

Stuxnet, the U.S-Israeli backed malware that disrupted Iran’s nuclear enrichment program and

Payback for the severe U.S.-imposed sanctions that have sent the Iranian economy into a tailspin.

What does Shamoon have to do with SCADA and ICS Security?

Shamoon was a destroyer of data on workstations of energy companies in the Arabian Gulf. There is no evidence that it had any impact on SCADA or ICS systems.

What does it mean for automation professionals? The good news is that like Stuxnet, Flame and Duqu, Shamoon was highly targeted. But the bad news is that it is another indicator that industry, especially the energy industry is now a target.

Also, you might want to update your risk assessments. Of great concern is the fact that this attack lowers the bar for effective disruption of a business. One or more people with skills slightly better than amateurs and a relatively low level of effort were able to penetrate a well-protected network and destroy massive amounts of data (albeit with insider access). In addition, they did it at a scale and speed that is unprecedented.

Imagine the damage that could be done if any group of people with an axe to grind against your organization activates a similar attack against you? The success of Shamoon is sure to attract copycats. This rouses the kind of fear we have when we think of terrorists getting their hands on nuclear weapons. No rules of engagement apply!

Call it “cyber warfare” or “cyber hype”, the bottom line is that the information/networked world is facing increased threats and SCADA and ICS systems are part of that world.

What are your thoughts on Shamoon? Does its discovery impact your security strategy?

Comments

Good summary of the Shamoon malware, though formally the link between Shamoon and the Aramco / Rasgas attacks has never been confirmed by either company.

I think Shamoon is the most worrying event in security, not so much because Shamoon is very advanced malware - it isn't, but the destructive nature of the malware.

We see several very good malware development tools in the market, combining these capabilities with an intention to cause as much damage as possible to the infected computer is a frightning world if we also realize that AV has several shortcomings. Too many malware slipped through the defenses in the last two years.

After attending the ICS conference in Norfolk this week, it is more clear than ever, that the cyber crime perpetrators - whether rogue, state-sponsored or company insiders - must be dealt with using the full force of existing laws. These crimes are extremely dangerous to a vulnerable society and to the economic and financial underpinnings of the world. Additional legislation must be considered and enacted in each democratic country to deal with these criminals regardless of where they may be.
Secondly, the eventual ability of cyber defenses to pinpoint the sources and physical locations of perpetrators will assist in seizure of equipment and the capture of such evil-doers. We will need some version of counter-terrorist military teams to pursue these criminals. Wide news coverage of convicted cyber criminals will perhaps help lower these rogue or insider incidents.

Good Shamoon summary. I do hope that the parenthetical phrase 'albeit with insider access' wasn't intended to be dismissive of this important attack vector. Insiders have been an important tool for government attacks on their adversaries for thousands of years. It isn't much of a stretch to assume that any organization of a size that wuold be willing to accomplish someething as bold as the Aramco attack would be willing to use this type of tool to make their attack more effective.

The (albeit with insiders) was not meant to be dismissive, just factual.

Shamoon is one for the history books, like Stuxnet, but because of its overall destructiveness. As Nick Denbow mentions in his comment, think of the damage possible if the insider were paired with a team with strong programming skills.

The insider threat needs to be factored more significantly into risk assessments, just as Bryan says that the companies in the region are doing.

This suggested disgruntled employee, although classed as an enthusiastic amateur in cyber crime, has demonstrated what someone with some inside IT knowledge can achieve. So the next one like him will make contact with some less amateur cyber criminals to combine resources, compounding the threat by combining their various bits of expertise.
Thanks Heather, for your excellent review: as you say, with so many automation and control supplier companies in joint ventures with Saudi Aramco, not to speak of petrochemical companies, how far can Shamoon penetrate into their IT systems, and do they know? Looking just at the Sadara JV there are immediate links into Dow Chemicals and ABB - as mentioned in the INSIDER last month, the latter involves project engineering links to Jacobs Engineering, Fluor, Foster-Wheeler and Linde, plus other sub-suppliers like Yokogawa.

Specifically, those organized with dual firewall DMZ were able to restore key services earlier because:
1) DMZ was not infected in the first place
2) Scope of services in the DMZ was manageable (as compared to the entire IT network) which makes it easier to verify overall health.

Even with successful prevention many in the region are restoring services in a very deliberate manner based on a refresh of risk assessment.

Incidents like Shamoon will erode trust within an organization. Ironically this comes at a time when IT and OT will need to work together more than ever.

A comprehensive and insightful analysis of the Shamoon episode. It is indeed clear that Episodes like Shamoon only reiterate what is widely acknowledged within industry circles. Although the consequences of Shamoon were destructive, it seems to me that the perpetrators had conceived the entire attack with surgical precision. A Shamoon-like attack on a control system would have had disastrous consequences and more than that, it has the potential to become a precursor to war between hostile nations. It is now becoming increasingly certain that industrial cyber security will become common underlying denominator of the next-gen enterprise.